If you have the Splunk Add-on for Cisco ASA installed, you should be able to
index=... sourcetype=...
| transaction maxspan=1h startswith=Cisco_ASA_message_id=302013 endswith=Cisco_ASA_message_id=302014 session_id
If you do not have the Splunk Add-on for Cisco ASA installed - well, I suggest installing it.
Seriously, though - for just your little piece you could probably rex up your own session_id. Here I went crazy with MY* for that (so it wouldn't conflict with what the Add-on is already doing)
index=... sourcetype=...
| rex "(?<MYmessage_id>\d+):\s+(Built|Teardown)\s+(outbound\s+)?TCP\sconnection\s(?<MYsession_id>\d+)"
| transaction maxspan=1h startswith=MYmessage_id=302013 endswith=MYmessage_id=302014 MYsession_id
Those both give you a free duration and eventcount fields. Well, they are not actually free, it costs the price of running it as transaction instead of stats.
To use stats (broken up a bit for readability)...
index=network sourcetype=cisco:asa
| stats earliest(_time) AS startTime, latest(_time) AS endTime, count(_time) as eventcount,
list(src_ip) as src_ip, list(dest_ip) as dest_ip, list(dest_port) as dest_port BY session_id
| eval duration=endTime - startTime
You can list more things in the stats section or you could use something other than list and so on, but that should give you the idea. It calculates a duration and an eventcount for you.
Happy Splunking!
-Rich
... View more